Impact
What kind of vulnerability is it? Who is impacted?
It has been identified that the conda_forge_webservice Docker container executes commands without specifying a user. By default, Docker containers run as the root user, which increases the risk of privilege escalation and host compromise if a vulnerability is exploited.
Patches
Has the problem been patched? What versions should users upgrade to?
We deploy to Heroku, which does not run containers with root ever, so there was no risk in our bots.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
A dedicated non-root user should be created, granted only the necessary permissions, and explicitly set as the container's runtime user. This approach mitigates the risk of privilege escalation and enhances container security.
References
Are there any links users can visit to find out more?
Reported by 7a Security in partnership with OSTIF.
Impact
What kind of vulnerability is it? Who is impacted?
It has been identified that the
conda_forge_webserviceDocker container executes commands without specifying a user. By default, Docker containers run as the root user, which increases the risk of privilege escalation and host compromise if a vulnerability is exploited.Patches
Has the problem been patched? What versions should users upgrade to?
We deploy to Heroku, which does not run containers with root ever, so there was no risk in our bots.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
A dedicated non-root user should be created, granted only the necessary permissions, and explicitly set as the container's runtime user. This approach mitigates the risk of privilege escalation and enhances container security.
References
Are there any links users can visit to find out more?
Reported by 7a Security in partnership with OSTIF.